Related

I've always had this nagging feeling about Coinbase’s exchange service and I just couldn't quite put my finger on it.

The San Francisco startup receives praise for its simple method of acquiring and selling bitcoins, a digital currency, via one’s U.S. bank account. In fact, Coinbase, founded in June 2012, is now selling over $1 million worth of bitcoins per month. The firm apparently ran out of inventory last week.

Then, it hit me. This is just like buying bitcoins from your bank – or from the Internal Revenue Service. If a bank offered a bitcoin purchasing option from its website, it would look like Coinbase. If Coinbase cut them in on the commission, it could probably white-label the service directly to banks.

Jon Matonis

Nothing wrong with that, but it means Coinbase fails to leverage the unique financial privacy aspects of the Bitcoin network. I do not fault founder and CEO Brian Armstrong, because he’s launched a much-needed Bitcoin service at a critical point in the digital money's evolution. Here's the rub: to address the fraud and compliance issues around the irreversible sale of a privacy product, Coinbase has simply removed the privacy.

Currently, Coinbase provides its exchange service in the U.S. only and it offers two methods for linking a bank account, “instant account verification” and “challenge deposit verification.” For those who are uncomfortable providing their private online banking usernames and passwords to Coinbase, the alternate method offers a typical challenge deposit process similar to linking a bank account to PayPal. (In challenge verification, a company makes two small deposits to the user’s account, and the user proves she is the accountholder by entering those amounts into the company’s site.) Coinbase does not allow for other less-intrusive payment methods, such as a cash deposit at a bank branch, via an intermediary like TrustCash, or cash bill payment at a retail location, through a network like ZipZap.

Coinbase is not licensed as a money transmitter in any state, nor is it registered as a money services business with the U.S. Treasury’s Financial Crimes Enforcement Network. I applaud the company for dispensing with these formalities because, since it is only selling a cryptographic token and not a financial instrument, such registration and licensure is not legally required.

The company says it has an anti-money laundering program, but it was not listed on their web site, and again, it is not a legal requirement for this business. Besides, the majority of what constitutes an AML program is already covered via Coinbase's strong relationship to the user's financial institution, with one of the exceptions being the identification of aggregated transactions from multiple bank accounts. But even this would be easy enough for Coinbase to determine based on the additional user data collected.

According to its privacy policy, Coinbase collects data about visitors to the site sent by their computer or mobile phone (e.g. IP addresses) and device information including but not limited to identifier, name and type, operating system, location, mobile network information and standard web log information. Those who sign up for the service may have to provide their name, address, phone number, email address, and bank or credit card numbers. Before using the service, customers may further have to give a Social Security number or birthdate, and they are subject to credit checks or identity verification by third parties.

Furthermore, there is no indication that Coinbase deletes the internal bitcoin wallet transfer logs or the associated bitcoin address logs. With more observable data points, the privacy of all bitcoin transactions can become cumulatively degraded.

By criticizing the collection of personal information for the purchase of bitcoin, a harmless cryptography product, I am not simply "letting the perfect being the enemy of the good." Caution is strongly advised when dealing with Coinbase. The potential exists for enhanced surveillance and network traffic analysis enabled by the supreme identity management that comes built-in with Coinbase. For instance, it would not be advisable to play Bitcoin casino games or poker with Coinbase-acquired bitcoins that weren't properly "mixed."